CHAPTER 3 LINUX FORENSICS

Paladin Linux
Developed by Sumuri, Paladin is a versatile Linux distribution, which is based on
Ubuntu. It is one of the most beautifully crafted forensic suites available in the market.
With over 100 tools spanning across 33 categories, Paladin is fully equipped to take on
any forensic challenge.

CAINE
CAINE is an acronym for Computer Aided Investigation Environment. It is a Linux
distribution built for Digital Forensic Investigation. It offers a complete forensic
environment and user-friendly GUI. This project is completely open source.

Challenges
The fundamental approach to a forensic examination of a Linux system remains the
same as for any other operating system. However, it is important to note that there are
few changes in the design of the Linux system, which the cyber forensic experts need to
make note of.
First, Linux does not have a central Registry like Windows. The data is scattered
across the OS, which has to be collected from multiple sources. Second, metadata for
files is zeroed when it is deleted. This becomes a huge problem at the time for data
recovery.
Over a period of time, Linux systems have gained significant popularity and have
seen a growth in its user base; however, compared to Microsoft Windows, it is still used
in very few home systems in comparison. Due to such low numbers of systems, there not
been a lot of buzz to create specialized forensic tools for Linux systems.
Linux is mostly used for advanced computing needs like server systems or corporate
computing, whereas in home systems it serves as a desktop/notebook operating system.
We mentioned that there are numerous Linux distributions that are designed for specific
tasks or have unique USPs. This is the challenge that a cyber forensic examiner faces
when a Linux machine is encountered. Although these Linux distributions have “the
Linux kernel” at the core distribution, the developers put unique code above it to create
vivid and special operating systems.

80
 CHAPTER 3 LINUX FORENSICS

Cyber forensic experts will need to study the operating system to obtain the
forensically important artifacts and use compatible tools and techniques. Although the
EXT4 is a strong and stable file system, it is still a new feature in modern Linux systems,
so there is an issue of tool compatibility with it.
Linux tools are mostly command line and therefore not the easiest to use. This is due
to less demand and less availability of Linux forensic tool developers. But with changing
times, this is sure to change in the due course of time; and more tools are expected to be
seen in the future.

Differences Between Windows and Linux

from a Forensics Perspective
Here is a table that highlights the differences between Windows and Linux.

Windows Linux

Windows has a central Registry that is used for Linux does not have a central Registry
collecting and storing the configuration settings of like Windows. The data is scattered
Windows components, installed hardware & software across the OS, which has to be collected
applications, etc. from multiple sources.
Windows supports FAT (with its variations) or NTFS file Linux supports EXT (with its variations)
systems. file system.
Most of the tools are GUI based and easy to understand Most of the Linux tools are command line
or use. and not GUI based, and hence they are
not the easiest ones to use.
In Windows, you can have many user accounts with Linux has only one administrative
administrative privileges. account called root. Root account has
complete control of the system.
In Windows, you can find file permissions in the Security In Linux, by running the ls l command on
tab of Properties section of My Computer, and they are a directory or on a particular file, you can
kept in Registry. view these file permissions.
Windows has a Recycle Bin folder to store deleted files, Linux distributions have Trash functions
and these deleted files can be recovered from it. that contain deleted files of the particular
user.

81